If you solve the requirements in order this machine is quite easy to solve. Let's change the /etc/hosts file and add our domain.
Next step I enumerate the domain that I found using dirsearch and feroxbuster. Also I do a subdomain enumeration using wfuzz.
As I said all you need to do is to enumerate in the order that the req are asking you. So if you access test.php and try some LFI payloads you will get some answers.
Now let's get access using some LFI2RCE techniques, but first I will restart the machine because with fuzzing I generate a lot of logs and the content is to large and I like it to be easy to read.
So it is about user-agent. Let's exploit this by inject a payload in the user-agent.
Exploitation
After this go to website and refresh the page with logs and you will get a reverse shell. Don't forget to open a listener. I don't put the flags here, try to do the machine on your own.
Privilege Escalation
After some minutes of enumeration I found an interesting file in /opt directory. This file can modified by everyone and also it is executed every minute by archangel user.
As you see I try some payload, but the last one worked and now I am archangel user. Now lets get root privilege.
After a while I get root access. I found an ELF file (backup). Analyze this file and you will see that executes the following command.
Cp command is executed without absolute path (/bin/cp), so you can exploit this. Make an executable file named cp in home directory of archangel and change the path variable and you will get root access.
